@@ -1,3 +1,7 @@

+Sun Jan 15 16:43:36 CET 2006 (tk)

+---------------------------------

+  * libclamav: bruteforce sfx detection

+

 Fri Jan 14 14:51:01 CET 2006 (acab)

 ---------------------------------

   * libclamav: added yC support

@@ -33,7 +33,7 @@

 #include "matcher-ac.h"

 struct cli_magic_s {

-    int offset;

+    size_t offset;

     const char *magic;

     size_t length;

     const char *descr;

@@ -126,7 +126,7 @@ static const struct cli_magic_s cli_magic[] = {

     {0,  "\060\046\262\165\216\146\317", 7, "WMA/WMV/ASF",	  CL_TYPE_DATA},

     {0,  ".RMF" ,			 4, "Real Media File",	  CL_TYPE_DATA},

-    {-1, NULL,				 0, NULL,		  CL_TYPE_UNKNOWN_DATA}

+    {0, NULL,				 0, NULL,		  CL_TYPE_UNKNOWN_DATA}

 };

 static const struct cli_smagic_s cli_smagic[] = {

@@ -51,11 +51,18 @@ typedef enum {

     /* bigger numbers have higher priority (in o-t-f detection) */

     CL_TYPE_HTML, /* on the fly */

     CL_TYPE_MAIL,  /* magic + on the fly */

+    CL_TYPE_SFX, /* foo SFX marker */

     CL_TYPE_ZIPSFX, /* on the fly */

     CL_TYPE_RARSFX /* on the fly */

 } cli_file_t;

+struct cli_matched_type {

+    cli_file_t type;

+    size_t offset;

+    struct cli_matched_type *next;

+};

+

 cli_file_t cli_filetype(const char *buf, size_t buflen);

 cli_file_t cli_filetype2(int desc);

 int cli_addtypesigs(struct cl_engine *engine);

@@ -260,12 +260,13 @@ inline static int cli_findpos(const char *buffer, unsigned int depth, unsigned i

     return 1;

 }

-int cli_ac_scanbuff(const char *buffer, unsigned int length, const char **virname, const struct cli_matcher *root, int *partcnt, short otfrec, unsigned long int offset, unsigned long int *partoff, unsigned short ftype, int fd, unsigned long int *ftoffset)

+int cli_ac_scanbuff(const char *buffer, unsigned int length, const char **virname, const struct cli_matcher *root, int *partcnt, short otfrec, unsigned long int offset, unsigned long int *partoff, unsigned short ftype, int fd, struct cli_matched_type **ftoffset)

 {

 	struct cli_ac_node *current;

 	struct cli_ac_patt *pt;

 	int type = CL_CLEAN, dist, t;

         unsigned int i, position;

+	struct cli_matched_type *tnode;

     if(!root->ac_root)

@@ -316,11 +317,19 @@ int cli_ac_scanbuff(const char *buffer, unsigned int length, const char **virnam

 				if(++partcnt[pt->sigid] == pt->parts) { /* the last one */

 				    if(pt->type) {

 					if(otfrec) {

-					    if(pt->type > type) {

+					    if(pt->type > type || pt->type >= CL_TYPE_SFX) {

 						cli_dbgmsg("Matched signature for file type: %s\n", pt->virname);

 						type = pt->type;

-						if(ftoffset)

-						    *ftoffset = offset + position;

+						if(ftoffset && ftype == CL_TYPE_MSEXE && type >= CL_TYPE_SFX) {

+						    if(!(tnode = cli_calloc(1, sizeof(struct cli_matched_type)))) {

+							cli_errmsg("Can't alloc memory for new type node\n");

+							return CL_EMEM;

+						    }

+						    tnode->type = type;

+						    tnode->offset = offset + position;

+						    tnode->next = *ftoffset;

+						    *ftoffset = tnode;

+						}

 					    }

 					}

 				    } else {

@@ -336,12 +345,20 @@ int cli_ac_scanbuff(const char *buffer, unsigned int length, const char **virnam

 		    } else { /* old type signature */

 			if(pt->type) {

 			    if(otfrec) {

-				if(pt->type > type) {

+				if(pt->type > type || pt->type >= CL_TYPE_SFX) {

 				    cli_dbgmsg("Matched signature for file type: %s\n", pt->virname);

 				    type = pt->type;

-				    if(ftoffset)

-					*ftoffset = offset + position;

+				    if(ftoffset && ftype == CL_TYPE_MSEXE && type >= CL_TYPE_SFX) {

+					if(!(tnode = cli_calloc(1, sizeof(struct cli_matched_type)))) {

+					    cli_errmsg("Can't alloc memory for new type node\n");

+					    return CL_EMEM;

+					}

+					tnode->type = type;

+					tnode->offset = offset + position;

+					tnode->next = *ftoffset;

+					*ftoffset = tnode;

+				    }

 				}

 			    }

 			} else {

@@ -21,11 +21,12 @@

 #include "clamav.h"

 #include "matcher.h"

+#include "filetypes.h"

 #define AC_DEFAULT_DEPTH 2

 int cli_ac_addpatt(struct cli_matcher *root, struct cli_ac_patt *pattern);

-int cli_ac_scanbuff(const char *buffer, unsigned int length, const char **virname, const struct cli_matcher *root, int *partcnt, short otfrec, unsigned long int offset, unsigned long int *partoff, unsigned short ftype, int fd, unsigned long int *ftoffset);

+int cli_ac_scanbuff(const char *buffer, unsigned int length, const char **virname, const struct cli_matcher *root, int *partcnt, short otfrec, unsigned long int offset, unsigned long int *partoff, unsigned short ftype, int fd, struct cli_matched_type **ftoffset);

 int cli_ac_buildtrie(struct cli_matcher *root);

 void cli_ac_free(struct cli_matcher *root);

 void cli_ac_setdepth(unsigned int depth);

@@ -274,7 +274,7 @@ int cli_validatesig(unsigned short target, unsigned short ftype, const char *off

     return 1;

 }

-int cli_scandesc(int desc, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, short otfrec, unsigned short ftype, unsigned long int *ftoffset)

+int cli_scandesc(int desc, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, short otfrec, unsigned short ftype, struct cli_matched_type **ftoffset)

 {

  	char *buffer, *buff, *endbl, *pt;

 	int bytes, buffsize, length, ret, *gpartcnt, *tpartcnt;

@@ -20,10 +20,11 @@

 #define __MATCHER_H

 #include "clamav.h"

+#include "filetypes.h"

 #define CL_TARGET_TABLE_SIZE 7

-int cli_scandesc(int desc, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, short otfrec, unsigned short ftype, unsigned long int *ftoffset);

+int cli_scandesc(int desc, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, short otfrec, unsigned short ftype, struct cli_matched_type **ftoffset);

 int cli_scanbuff(const char *buffer, unsigned int length, const char **virname, const struct cl_engine *engine, unsigned short ftype);

@@ -285,7 +285,6 @@ static int cli_scanzip(int desc, const char **virname, unsigned long int *scanne

 	lseek(desc, offset, SEEK_SET);

     if((zdir = zzip_dir_fdopen(dup(desc), &err)) == NULL) {

-	cli_dbgmsg("Zip: Not supported file format ?.\n");

 	cli_dbgmsg("Zip: zzip_dir_fdopen() return code: %d\n", err);

 	/* no return with CL_EZIP due to password protected zips */

 	return CL_CLEAN;

@@ -1646,7 +1645,7 @@ int cli_magic_scandesc(int desc, const char **virname, unsigned long int *scanne

     if(type != CL_TYPE_DATA && ret != CL_VIRUS) { /* scan the raw file */

 	    int ftrec;

-	    unsigned long int ftoffset;

+	    struct cli_matched_type *ftoffset = NULL, *fpt;

 	switch(type) {

 	    case CL_TYPE_UNKNOWN_TEXT:

@@ -1685,19 +1684,36 @@ int cli_magic_scandesc(int desc, const char **virname, unsigned long int *scanne

 		    break;

 		case CL_TYPE_RARSFX:

-		    if(SCAN_ARCHIVE && type == CL_TYPE_MSEXE) {

-			cli_dbgmsg("RAR-SFX found at %d\n", ftoffset);

-			if(cli_scanrar(desc, virname, scanned, engine, limits, options, arec, mrec, ftoffset) == CL_VIRUS)

-			    return CL_VIRUS;

-                    }

+		case CL_TYPE_ZIPSFX:

+		    if(type == CL_TYPE_MSEXE) {

+			if(SCAN_ARCHIVE) {

+			    fpt = ftoffset;

+			    while(fpt) {

+				if(fpt->type == CL_TYPE_RARSFX) {

+				    cli_dbgmsg("RAR-SFX signature found at %d\n", fpt->offset);

+				    if((ret = cli_scanrar(desc, virname, scanned, engine, limits, options, arec, mrec, fpt->offset) == CL_VIRUS))

+					break;

+				} else if(fpt->type == CL_TYPE_ZIPSFX) {

+				    cli_dbgmsg("ZIP-SFX signature found at %d\n", fpt->offset);

+				    if((ret = cli_scanzip(desc, virname, scanned, engine, limits, options, arec, mrec, fpt->offset) == CL_VIRUS))

+					break;

+				}

+				fpt = fpt->next;

+			    }

+			}

+

+			while(ftoffset) {

+			    fpt = ftoffset;

+			    ftoffset = ftoffset->next;

+			    free(fpt);

+			}

+

+			if(ret == CL_VIRUS)

+			    return ret;

+		    }

 		    break;

-		case CL_TYPE_ZIPSFX:

-		    if(SCAN_ARCHIVE && type == CL_TYPE_MSEXE) {

-			cli_dbgmsg("ZIP-SFX found at %d\n", ftoffset);

-			if(cli_scanzip(desc, virname, scanned, engine, limits, options, arec, mrec, ftoffset) == CL_VIRUS)

-			    return CL_VIRUS;

-                    }

+		default:

 		    break;

 	    }

 	    nret == CL_TYPE_MAIL ? mrec-- : arec--;